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IN THE CLAIMS 

Amended claims follow: 

1 . (Currently Amended) A method for providing network security features, 
comprisin g - the Gtep o of : 

(a) identifying a plurality of network objects; 

(b) retrieving rule sets associated with at least one of the identified network 

objects, the rule sets including a plurality of policy rules that govern actions 
relating to the identified network objects; 

(e) reconciling overlapping policy rules of the rule sets amongst the network 

objects; and 
(d) executing the reconciled rule sets; 

wherein the rule sets are combined into a single rule set, and duplicate policy 
rules of the rule sets are removed; 

wherein a user is notified of conflicting policy rules of the rule sets; 

wherein included is a first graphical user interface tha t allows a user to 
associate the network objects with the rule sets, a second graphical user interface 
that allows the user to create associations of the rule sets and th e network objects for 
a firewall, a third graphical user interface that is display ed upon selection of a 
network object a fourth graphical user interface for creating an d editing the rule 
sets, a fifth graphical user interface for configuring a new polic y rule for being 
added to one of the rule sets, a sixth graphical user interface for adding a new 
network object and a seventh graphical user interface for editing one o f the network 
objects . 

2. (Original) The method as recited in claim 1, wherein each policy rule of the 
reconciled rule sets includes a rule action selected from the group consisting 
of: permitting an action relating to the identified network objects, denying 
an action relating to the identified network objects, and conditionally 
denying an action relating to the identified network objects. 
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3. (Original) The method as recited in claim 2, wherein an action relating to the 
identified network objects is permitted if no policy rules deny the action, at 
least one policy rule conditionally denies the action, and at least one policy 
rule permits the action. 

4. (Original) The method as recited in claim 2, wherein the policy rules denying 
the action are evaluated first, the policy rules conditionally denying the 
action are evaluated second, and the policy rules permitting the action are 
evaluated third. 

5. (Original) The method as recited in claim 1 , wherein an action relating to the 
identified network objects is denied if none of the policy rules permit the 
action. 

6. (Original) The method as recited in claim 1 , wherein an action relating to the 
identified network objects is denied if none of the policy rules match a 
request for the action. 

7. (Cancelled) 

8. (Cancelled) 

9. (Cancelled) 

1 0. (Original) The method as recited in claim 1 , wherein the rule sets are 
associated with a particular network object. 

1 1 . (Original) The method as recited in claim 1, wherein a protocol configuration 
enforced by a related proxy is selected from a hierarchal list if an action is 
permitted by more than one rule. 

12. (Currently Amended) A computer program product for providing network 
security features, comprising: 
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(a) computer code for identifying a plurality of network objects; 

(b) computer code for retrieving rule sets associated with at least one of the 
identified network objects, the rule sets including a plurality of po J icy rules 
that govern actions relating to the identified network objects; 

(c) computer code for reconciling overlapping policy rules of the rule sets 
amongst the network objects; and 

(d) computer code for executing the reconciled rule sets; 

wherein the rule sets are combined into a single rule set, and duplicate policy 
rules of the rule sets are removed; 

wherein a user is notified of conflicting policy rules of the rule sets; 

wherein included is a first graphical user interface that allows a user to 
associate the network objects with the rule sets, a second graphical user interface 
that allows the user to create associations of the rule sets and the network objects for 
a firewall, a third graphical user interface that is displayed upon selection of a 
network object, a fourth graphical user interface for creating and editing the rule 
sets, a fifth graphical user interface for configuring a new policy rule for being 
added to one of the rule sets, a sixth graphical user interface for adding a new 
network object and a seventh graphical user interface for editing one of the network 
objects . 

13. (Original) The computer program product as recited in claim 12, wherein 
each policy rule of the reconciled rule sets includes a rule action selected 
from the group consisting of: permitting an action relating to the identified 
network objects, denying an action relating to the identified network objects, 
and conditionally denying an action relating to the identified network 
objects. 

14. (Original) The computer program product as recited in claim 13, wherein an 
action relating to the identified network objects is permitted if no policy rules 
deny the action, at least one policy rule conditionally denies the action, and 
at least one policy rule permits the action. 
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1 5. (Original) The computer program product as recited in claim 13, wherein the 
policy rules denying the action are evaluated first, the policy rules 
conditionally denying the action are evaluated second, and the policy rules 
permitting the action are evaluated third. 

1 6. (Original) The computer program product as recited in claim 1 2, wherein an 
action relating to the identified network objects is denied if none of the 
policy rules permit the action. 

1 7. (Original) The computer program product as recited in claim 12, wherein an 
action relating to the identified network objects is denied if none of the 
policy rules match a request for the action. 

18. (Cancelled) 

19. (Cancelled) 

20. (Cancelled) 

21 . (Original) The computer program product as recited in claim 12, wherein the 
rule sets are associated with a particular network object 

22. (Original) The computer program product as recited in claim 12, wherein a 
protocol configuration enforced by a related proxy is selected from a 
hierarchal list if an action is permitted by more than one rule. 

23. (Currently Amended) A rule based network security system for providing 
network security features, comprising: 

(a) logic for identifying a plurality of network objects; 

(b) logic for retrieving rule sets associated with at least one of the identified 
network objects, the rule sets including a plurality of policy rules that govern 
actions relating to the identified network objects; 
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(c) logic for reconciling overlapping policy rules of the rule sets amongst the 
network objects; and 

(d) logic for executing the reconciled rule sets; 

wherein the rule sets are combined into a single rule set, and duplicate policy 
rules of the rule sets are removed; 

wherein a user is notified of conflicting policy rules of the rule sets; 

wherein included is a first graphical user interface that a llows a user to 
associate the network object s with the rule sets, a second graphical user interface 
that allows the user to create association s of the rule sets and the network objects for 
a firewall, a third pranhical user interface that is displayed upon selection of a 
network object, a fourth g ra phical user interface for creating and editing the rule 
sets, a fifth g ra phical user interface for configuring a new policy rule for being 
added to one of the rule sets, a sixth gra phical user interface for adding a new 
network object and a seven th gra phical u s er interface for editing one of the network 
objects . 

24. (Currently Amended) A method for establishing network security, 
comprising the steps of: 

(a) providing a plurality of network objects of a network and a plurality of rule 

sets; and 

(b) associating the network objects with the rule sets; 

(c) wherein the rule sets include a plurality of policy rules that govern actions 
relating to the identified network objects during operation of the network; 
whoroin a plurality of tho rulo soto arc oombinod into a single rulo cot, and 

duplicate policy rulos of the rulu Goto arc removed; 

wherein a user is notifi e d of conflicting policy rules of the rule sets 
wherein included is at least three graphical user interfaces selected from the 
group consisting of a first graphical user interface that allows a user to associate the 
netwnrk ob jects with the rule sets, a second grap hical user interface that allows the 
user to create associations of tho rule sets and the networ k objects for a firewall, a 
third gra phical user interface that is displayed upon selection of a network object, a 
fourth gra phical user interface for creating and e diting the rule sets, a fifth graphical 
user interface for con fi guring a new policy rul e for being added to one of the rule 



PACE 0/13* RCVD AT 6MS/2004 4:40:15 PM [Eastern Daylight Time] * SVR:USPTO-EFXRF-1/0 • DNIS: 8729308 • C8ID:408 971 4660 * DURATION (mm-ss):04-26 



Jun 18 04 12:55p SVIPG 



408 971 46B0 



p. 10 



-7- 

sets, a sixth graphical user interface for adding a new network ob ject and a seventh 
graphical user interface for editing one of the network objects . 

25. (Cancelled) 

26. (Original) The method as recited in claim 24, wherein each policy rule of the 
reconciled rule sets includes a rule action selected fiom the group consisting 
of: permitting an action relating to the identified network objects, denying 
an action relating to the identified network objects, and conditionally 
denying an action relating to the identified network objects. 

27. (Original) The method as recited in claim 26, wherein an action relating to 
the identified network objects is permitted if no policy rules deny the action, 
at least one policy rule conditionally denies the action, and at least one policy 
rule permits the action. 

28. (Original) The method as recited in claim 24, wherein an action relating to 
the identified network objects is denied if none of the policy rules permit the 
action. 

29. (Currently Amended) A computer program product for establishing network 
security, comprising: 

(a) computer code for providing a plurality of network objects of a network and 
a plurality of rule sets; and 

(b) computer code for associating the network objects with the rule sets; 

(c) wherein the rule sets include a plurality of policy rules that govern actions 
relating to the identified network objects during operation of the network; 
wherein a plurality of the rule sets are combined into a single rule set, and 

duplicate policy rules of the rule sets are removed; 

wherein a user is notified of conflicting policy rules of the rule sets; 

wherein included is a first graphical user interface that allows a user to 
associate the network objects with the rule sets, a second graphical user interface 
that allows the user to create associations of the rule sets and the network objects for 
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a firewall, a th ird gra phical user interface th *t is displayed upon selection of a 
network object , » fourth grap h ical user interface for creating and editing the rule 
sets, a fifth p ra nhical user interface fo r configuring a new policy rule for being 
added to one of the rule sets , a sixth graphical user interface for adding a new 
network object »nd a seventh graphical user interface for editing one of the network 
objects . 



30. (Cancelled) 

3 1 . (Original) The computer program product as recited in claim 29, wherein 
each policy rule of the reconciled rule sets includes a rule action selected 
from the group consisting of: permitting an action relating to the identified 
network objects, denying an action relating to the identified network objects, 
and conditionally denying an action relating to the identified network 
objects. 

32. (Original) The computer program product as recited in claim 3 1 , wherein an 
action relating to the identified network objects is permitted if no policy rules 
deny the action, at least one policy rule conditionally denies the action, and 
at least one policy rule permits the action. 

33 . (Original) The computer program product as recited in claim 29, wherein an 
action relating to the identified network objects is denied if none of the 
policy rules permit the action. 



34. (Cancelled) 

3 5 (Currently Amended) ^ho method ao rcoitod in claim 4 - , A method for 

providing network security features, co mprising the steps of; 
(a^l identifying a plurality of ne twork objects; 

OA retrieving rule sets associated with at least one o f the identified network 

obj ects, the rule sets including a plurality of policy rules that govern actions 
relating to the identified network objects; 
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(c) reconciling overlapping policy rules of the rule sets amongst the network 

objects: and 
(cD executing the reconciled rule sets; 

wherein the rule sets are combined into a single rule set, and duplicate policy 
rules of the rule sets are removed: 

wherein a user is notified of conflicting policy rules of the rule sets: 

wherein included is a first graphical user interface that allows a user to 
associate the network objects with the rule sets, a second graphical user interface 
that allows the user to create associations of the rule sets and the network objects for 
a firewall, a third graphical user interface that is displayed upon selection of a 
network object, a fourth graphical user interface for creating and editing the rule 
sets, a fifth graphical user interface for configuring a new policy rule for being 
added to one of the rule sets, a sixth graphical user interface for adding a new 
network object, and a seventh graphical user interface for editing one of the network 
objects. 
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